Trojan targets Craigslist users with spam

John P. Mello |
Aug. 28, 2013

Malicious app used to hawk mobile spyware on the popular free classifieds site

Although the malware has a highly specific purpose now, once a machine is infected, the bad app could be repurposed for greater malignancy in the future. "Anytime a computer is infected with malware, the box is owned by someone else and they can use it to do all kinds of different things," Brandt said.

Mike Gross, director of professional services and risk management at 41st Parameter, said thatÃ'Â credential theft is always a possibility with this kind of malware. "The biggest risk is always key loggers that essentially give the attackers access to any account where the legitimate user enters a username-password combination online," he told CSOonline.

In addition, since the botnet is controlled elsewhere on the Web, it likely has an auto-update function for downloading and modifying what's on an infected machine. "An auto-update feature would make the possibilities of danger endless for the infected device," said Tommy Chin, a technical support engineer with Core Security.

Craigslist did not respond to a request for comment for this story.

"Craigslist is a relatively open environment, with no strong validation of posts," Gross said. "It relies on users to post legitimate classifieds. Its primary form of policing spam is by user feedback, which is very reactive."

The online classifieds service is also largely free, which may also be contributing to its being a target of Internet lowlifes. "It's much easier to target a free service than it is a paid service," Chin said. "Free services require much less verification on the user's part."

"The site is also still in its infancy in regards to anti-spam and security practices," he said.